<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - glyph.c ignores allocation failures with possible heap corruption" href="https://bugs.freedesktop.org/show_bug.cgi?id=107105">107105</a> </td> </tr> <tr> <th>Summary</th> <td>glyph.c ignores allocation failures with possible heap corruption </td> </tr> <tr> <th>Product</th> <td>XCB </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>Utils </td> </tr> <tr> <th>Assignee</th> <td>xcb@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>mrsam@courier-mta.com </td> </tr> <tr> <th>QA Contact</th> <td>xcb@lists.freedesktop.org </td> </tr></table> <p> <div> <pre>In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't really do anything about that, and simply returns. All existing callers of _grow_stream() assume that it succeeds, and proceed to blindly memcpy() more stuff to the stream. There's a remote chance of this being exploitable. An attacker would have to cause an application that uses xcb to: - run out of memory - proceed to create a text stream consisting of glyph data that overwrites and corrupts the existing heap space, in some controlled way. A brief survey of the existing calls to _grow_stream() suggests that plugging this hole is trivial -- have _grow_stream() return an error indication, and all existing calls to _grow_stream() in glyph.c can simply return, in that case.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>